Community discussions

MikroTik App
 
ChrisCCC
just joined
Topic Author
Posts: 23
Joined: Thu Apr 07, 2016 7:28 pm

Fastpath with Input rules

Fri Jul 09, 2021 2:08 pm

Any chance ROS7 is going to address the limitation whereby adding Input rules to your router disables fastpath?

Input and forward traffic should ideally be treated differently - It should be possible to add input rules without having to enable connection tracking in order to utilise Fasttrack for forwarded traffic,

Cheers.
 
ChrisCCC
just joined
Topic Author
Posts: 23
Joined: Thu Apr 07, 2016 7:28 pm

Re: Fastpath with Input rules

Fri Jul 16, 2021 9:58 pm

I guess that’s “no” then.
 
User avatar
kiler129
Member
Member
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Fastpath with Input rules

Tue Jul 20, 2021 3:48 am

This is mostly a community-driven forum. If you want to get an answer from MT directly you should contact their support email.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Fastpath with Input rules

Tue Jul 20, 2021 4:00 am

OP is not only asking us outsiders to speculate on MikroTik future development, he isn't saying which devices he needs these rules to work on, nor exactly what capabilities he's expecting of the rules.

ChrisCCC, the thing is, hardware offloading of firewall rules is highly dependent on the actual hardware chips in use. I don't expect any future chip to ever equal what you can achieve with a general-purpose CPU and a Linux kernel's firewall chains. If such a thing occurred, it would be a general-purpose CPU running Linux. :)

And in a sense, MikroTik has provided this: it's their higher-end routers. It's why they have so many CPU cores: to run all those firewall rules really fast.

Assuming you aren't going to replace your current router, let's get concrete and talk about specific cases. We may be able to advise you of ways to achieve some measure of hardware offloading. Switch and bridge rules are pretty powerful on their own.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fastpath with Input rules

Tue Jul 20, 2021 9:00 am

I guess that the thing is that when there are any firewall filter rules (which by definition enables stateful firewall), connection tracking has to be performed (because that's how connection state is determined). Connection tracking result is one of inputs for routing decision which in turn decides which firewall filter chain has to be used.

OTOH, CPU-based packet forwarding isn't wirespeed on any MT device. Surely fastpath does help a little, but if you're after wirespeed routing/firewalling, your best bet is to wait for ROSv7 stable and use one of CRS3xx models supporting L3 HW offloading.
 
ChrisCCC
just joined
Topic Author
Posts: 23
Joined: Thu Apr 07, 2016 7:28 pm

Re: Fastpath with Input rules

Tue Jul 20, 2021 7:58 pm

OP is not only asking us outsiders to speculate on MikroTik future development, he isn't saying which devices he needs these rules to work on, nor exactly what capabilities he's expecting of the rules.

ChrisCCC, the thing is, hardware offloading of firewall rules is highly dependent on the actual hardware chips in use. I don't expect any future chip to ever equal what you can achieve with a general-purpose CPU and a Linux kernel's firewall chains. If such a thing occurred, it would be a general-purpose CPU running Linux. :)

And in a sense, MikroTik has provided this: it's their higher-end routers. It's why they have so many CPU cores: to run all those firewall rules really fast.

Assuming you aren't going to replace your current router, let's get concrete and talk about specific cases. We may be able to advise you of ways to achieve some measure of hardware offloading. Switch and bridge rules are pretty powerful on their own.
This is a feature which has been requested before on this forum.

Essentially, there's a hard limitation at the moment where, when any filter rule is added, fastpath is disabled. For a basic BGP router, where pure routing is all it does, you may still want filter rules on the input chain to protect the router itself. In this scenario, even without any rules on the forward chain, fastpath is globally disabled, leaving the only option to enable connection tracking and use fasttrack. It would be nice if ROS could make a distinction between input and forward traffic and apply fastpath accordingly.

Now, it's entirely possible that this is architecturally unfeasible, or impossible, but to the best of my knowledge MT have never actually answered this question.

Who is online

Users browsing this forum: No registered users and 15 guests